Path to pay FTC $800K for collecting childrens' info without consent

The U.S. Federal Trade Commission announced on Friday that social networking application Path has agreed to settle charges that it deceived users by collecting their personal information without consent.

Path is now required to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years. The company has also agreed to pay a $800,000 fine to settle charges that it illegally collected personal information from children without their parents' consent.

"Over the years the FTC has been vigilant in responding to a long list of threats to consumer privacy, whether its mortgage applications thrown into open trash dumpsters, kids information culled by music fan websites, or unencrypted credit card information left vulnerable to hackers," said FTC Chairman Jon Leibowitz. "This settlement with Path shows that no matter what new technologies emerge, the agency will continue to safeguard the privacy of Americans."

In its own statement, Path said that in the company's early history, children under the age of 13 were able to sign up for accounts. Since then, "a very small number" of accounts were closed.

"As you may know, we ask users their birthdays during the process of creating an account," the service said. "However, there was a period of time where our system was not automatically rejecting people who indicated that they were under 13. Before the FTC reached out to us, we discovered and fixed this sign-up process qualification, and took further action by suspending any under age accounts that had mistakenly been allowed to be created."

The settlement and fine bring to an end the dispute over Path, which gained negative media attention a year ago when it was discovered that the popular social networking application was harvesting and uploading contact data. Apple CEO Tim Cook reportedly "grilled" Path co-founder Dave Morin over the alleged privacy breach, and the issue was rectified in a later update to the app.

The controversy prompted members of the U.S. Congress to send a letter to Apple seeking answers on the security of user address books and contacts stored on iOS devices. Path also publicly apologized for its "Add Friends" feature, which it said collected data to improve the quality of friend suggestions and to notify users when a contact joins Path.

The FTC filed a complaint that charged Path's iOS app with misleading consumers. It asserted that Path "provided consumers with no meaningful choice regarding the collection of their personal information."

In addition, the FTC alleged that Path's privacy policy had deceived consumers. Path had claimed it automatically collected only certain user information, such as an IP address, operating system, or browser type, but in reality the Path application automatically collected and stored address book information when the application was launched, and continued to do so each time a user signed back into their account.

The FTC also asserted that Path had violated the Children's Online Privacy Protection Act Rule by collecting personal information from about 3,000 children under the age of 13 without first getting parents' consent.

In addition to the $800,000 penalty that Path will pay, the social networking service is prohibited from making any misrepresentations about the extent to which it maintains the privacy and confidentiality of consumers' personal information. Path must also delete information collected from children under age 13. The service has already reportedly deleted the address book information it collected during the time when its deceptive practices were in place.

The FTC also released a companion report today calling on Amazon, Apple, and Google (among others) to better clarify their privacy policies to users of their services.

"The report recommends that mobile platforms should:

Provide just-in-time disclosures to consumers and obtain their affirmative express consent before allowing apps to access sensitive content like geolocation;
Consider providing just-in-time disclosures and obtaining affirmative express consent for other content that consumers would find sensitive in many contexts, such as contacts, photos, calendar entries, or the recording of audio or video content;
Consider developing a one-stop "dashboard" approach to allow consumers to review the types of content accessed by the apps they have downloaded;
Consider developing icons to depict the transmission of user data;
Promote app developer best practices. For example, platforms can require developers to make privacy disclosures, reasonably enforce these requirements, and educate app developers;
Consider providing consumers with clear disclosures about the extent to which platforms review apps prior to making them available for download in the app stores and conduct compliance checks after the apps have been placed in the app stores; and
Consider offering a Do Not Track (DNT) mechanism for smartphone users. A mobile DNT mechanism, which a majority of the Commission has endorsed, would allow consumers to choose to prevent tracking by ad networks or other third parties as they navigate among apps on their phones."

In addition, the FTC alleged that Path's privacy policy had deceived consumers. Path had claimed it automatically collected only certain user information, such as an IP address, operating system, or browser type, but in reality the Path application automatically collected and stored address book information when the application was launched, and continued to do so each time a user signed back into their account.

#1) They're Proven Liars.

This doesn't happen accidentally. The developers have to make very specific calls to access this personal data and they need to explicitly send it back to the company, and they clearly lied about what their app did.

The FTC also asserted that Path had violated the Children's Online Privacy Protection Act Rule by collecting personal information from about 3,000 children under the age of 13 without first getting parents' consent.

#2) They're Idiots.

Anyone with even a tiny brain knows better than to create an account for kids 12 and under when they tell you their freakin' age!

Path also publicly apologized for its "Add Friends" feature, which it said collected data to improve the quality of friend suggestions and to notify users when a contact joins Path.

#3) They place their own needs above their users' privacy. Of course this is the case for many, if not most, social networking apps/sites.

The FTC filed a complaint that charged Path's iOS app with misleading consumers. It asserted that Path "provided consumers with no meaningful choice regarding the collection of their personal information."

#4) They're Scum.

It doesn't take a lot of effort to ask your users if it's okay to scan through their contacts and clearly spell out what you're going to do with that information. In Advance! But in their haste and greed, they didn't even bother to do that. And it's not just Path, it's many of these socially-connected apps that want to get access to your personal contacts.

The problem actually runs deeper than that.

If YOU decide you want to share YOUR personal information with Path (or Facebook or Google or any other such personal data-harvesting company), that's fine. That's your business. But just because you're my friend, that doesn't mean I want you to share MY personal information with any of these companies. That's where the entire social networking / contact harvesting model fails terribly.

In 2013, what kind of steps does one have to take to NOT have their personal information shared with random companies they have no relationship with? Do we really have to start asking our friends to not put us in any of their contact lists? The situation has gotten so out of control, what else can you do? This is a serious question.

Originally Posted by Blah64
In 2013, what kind of steps does one have to take to NOT have their personal information shared with random companies they have no relationship with? Do we really have to start asking our friends to not put us in any of their contact lists? The situation has gotten so out of control, what else can you do? This is a serious question.

The easiest solution is not having friends. But don't have enemies; they'll make websites about you to vent and your information will get out that way.

Otherwise you'll just have to ask each of them in turn not to put any of your information on any of those sites. But will they comply?

If YOU decide you want to share YOUR personal information with Path (or Facebook or Google or any other such personal data-harvesting company), that's fine. That's your business. But just because you're my friend, that doesn't mean I want you to share MY personal information with any of these companies. That's where the entire social networking / contact harvesting model fails terribly.

In 2013, what kind of steps does one have to take to NOT have their personal information shared with random companies they have no relationship with? Do we really have to start asking our friends to not put us in any of their contact lists? The situation has gotten so out of control, what else can you do? This is a serious question.

I actually had a friend ask me to take him out of my contacts just in case it gets shared with a third party. We talked and agreed that I'd just give him a really odd nickname that meant nothing and changed his pic to something generic. He was ok with that and I was glad to not have to refer to a written contact book to call, email, mail him. Not sure if it solved anything, but that's how it panned out.

The only way to secure your personal information from third parties you don't have a relationship with is to ask everyone you know (and maybe everyone they know) to only keep your info written down on a pice of paper. Also you can never send receive email from something like a Gmail account since they'll have the info as well. Basically, you have to go back to pre-internet days.

They're not dead, after that?
Then again, FaceBook is still alive. Not using any of them, I have to say.

Yes Facebook is far worse, they themselves say they continue to collect all they can on you even after you delete your account. Once on FB you are stuck there, while they continue to collect all they can on you!

Google is a little more polite, but is also in the business of collecting personal info.

With all the android (by Google) phones,

collecting info on everything you do on your phone, Google has lots of info on many.

The easiest solution is not having friends. But don't have enemies; they'll make websites about you to vent and your information will get out that way.

Yes, this is a good point, especially with kids. Er, I mean teens and twenty-somethings. It's also a concern with friends that might do something mean out of spite in a heated moment because even if they change their mind soon after, because nothing ever truly disappears from the interwebs. Some of it may depend on reasons for keeping personal information offline and out of the hands of personal profiling companies. For those who have been stalked/threatened, one would hope "real friends" would understand, but teens can often be stupid and malicious without thinking about long-term consequences, so personally I think it's better in that case to just not say anything except to request people not put contact info in their electronic lists.

Otherwise you'll just have to ask each of them in turn not to put any of your information on any of those sites. But will they comply?

Kinda depends on the first question, right? Are they really your friends?